[Openid-specs-fapi] Issue #120: CIBA: x-fapi-device-id header (openid/fapi)
issues-reply at bitbucket.org
Wed Jul 19 13:53:50 UTC 2017
New issue 120: CIBA: x-fapi-device-id header
For CIBA flows it doesn't always make sense for the client to send customer ip address or last logged in headers.
However it may be beneficial to send an identifier for the "consumption device", I've got this wording in the current draft of the FAPI CIBA profile:
In situations where the client does not control the consumption device,
- shall not send x-fapi-customer-ip-address or x-fapi-customer-last-logged-time headers;
- should send a x-fapi-device-id header which contains an identifier of the consumption device used by the customer.
NOTE: It may be useful for an FI’s fraud systems to know the device that is
the source of payment initiation requests, hence the recommendation for
the x-fapi-device-id header.
I'd welcome feedback on this.
More information about the Openid-specs-fapi